Researcher Michal Zalewski has uncovered more crash bugs in the Firefox browser. They affect the current version 1.5.0.6. Zalewski has released proof-of-concept attacks. See here: http://lcamtuf.coredump.cx/ffoxdie.html (Click at your own risk with JavaScript enabled to crash your browser)
The vulnerability results in memory corruption. The cause is a race condition that causes mismanagement of memory, such as freeing the same area twice.
Definition of a race condition:
Irregular behavior of a program due to unexpected critical dependence on the relative timing of events. For example, two different processes may be simultaneously reading from and writing to the same file, resulting in data read not being up-to-date.
When Javascript timers or other browser events interrupt browser components while they are running, freed memory structures are potentially left in an unexpected state.
Such attacks can often lead to arbitrary code execution, but there is no proof that this one can.
Due to heavy code re-use in the Mozilla family, it’s possible that products other than Firefox are vulnerable.
So NoScript on, and not a lot can get wrong.
It is also found by me that XPCOM_CORE,DLL, NSPR4.DLL, PLCH.DLL & PLDS4.DLL of the components file have errors on opening through JAR50.DLL, at least found by dependency walker. If you have one wrong plug-in installed it can also crash this browser, to my knowledge Flock is less sensitive here.
Secunia Research has discovered a vulnerability in Mozilla Firefox 1.5 branch, which can be exploited by malicious people to compromise a user's system.
H. D. Moore reported a testcase that was able to trigger a race
condition where JavaScript garbage collection deleted a temporary variable still being used in the creation of a new Function object. The resulting use of a deleted object may be potentially exploitable to run native code provided by the attacker.
The vulnerability is caused due to an memory corruption error within the handling of simultaneously happening XPCOM events, which leads to use of a deleted timer object. This generally results in a crash but potentially could be exploited to execute arbitrary code on a user's system when a malicious website is visited.
Well the proof is in the pudding, click the link I gave in the top posting of this thread, with JavaScript enabled, and after 20 sec you will know if this will result in a crash.
As far as I could establish the error is in opening the file XPCOM_CORE.DLL, where there are some 73 imports) for the NSGetModule import tables. Another compicating factor is the delay through windows that makes the errors in opening, as you view it through dependency walker. This I established for the jar50.dll v 1.8.20060.7278 and in NS_Alloc_P.
Hi Polonus,
I also have F.F 1.5.0.6. I clicked on the link you posted in your first post. I saw the pic of the woman, waited for 1 to 2 mins, no crash. Clicked on “More Pictures” link, saw some pictures of a cat and other stuff. Still no crash. This is with “no script” activated and then not activated. Not sure why my F.F. remained stable? Oh well. Thanks for the info. By the way, my javascript WAS inabled in F.F. when doing this.
Installed NoScript, tried again and it did it’s job very well no crash at all. When i enabled global scripts(or just scripts from that page) to be run it crashed again so that made me wonder about what some of you said here:
How did you “deactivate” NoScript extension Neal , Crofty and Cloussau?
I don’t know what you experience, but after the last update I experience there is something wrong with the stability of FF, and that is why I use Flock, no problems with Flock with the full psecurity Christmas tree installed, as stable as a rock, Sir.
With the latest Flock, it could of course be due to a corrupt dll file, I find several start ups that Flock closes because of jar50.dll problem I have, and I suspect that is in conjunction with xpcom-core.dll (that has to sort out 73 imports), then the jar50.dll and the four other dll’s it calls are not in one and the same browser file as well (jar50.dll makes errors in nspr4.dll, dlc4.dll, plds4.dll, and the notorious xpcom_core.dll. See nxXPCOM_h, then the digital signature is not valid, and this SF does not contain a valid hash of the MANIFEST.MF file. For the mo I use flock or Opera. FF with NoScript is not crashing because of the bug mentiuoned in this thread.
I could solve the problems with jar50.dll and plc4.dll errors only through a new fresh install of Portable Flock latest build.
Sure the corruption was through SiteAdvisor, a Firefox bug (various race conditions).
Read about other bugs, and why FF goes 1, 2, 3 on installing a plug-in from here: http://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs
Very serious situation, don’t we think so, folks. Also google apps can cause this browser to crash relentlessly,